Mcp Server Chart

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OneKey Gateway wrapper for chart, spreadsheet, diagram, and map tools, with remote-service and shared demo-key privacy considerations but no evidence of hidden or destructive behavior.

Install only if you are comfortable using OneKey Gateway and sending chart, spreadsheet, diagram, or map inputs to an external service. Prefer your own scoped API key instead of relying on the shared demo fallback, and do not submit confidential datasets, regulated information, private addresses, or sensitive travel/location plans unless you have reviewed the provider's data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (54)

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The code embeds a fallback router access key directly in source via os.getenv(..., "BETA_TEST_KEY_MARCH_2026"). Hardcoded credentials are dangerous because they can be extracted from the repository or distributed artifacts and then reused to access the remote routing service without authorization. In this skill context, the key is unrelated to local chart generation and directly enables external service use, which increases the risk of secret leakage and unauthorized API consumption.

Context-Inappropriate Capability

Low

Confidence: 94% confidence
Finding: The script uses a hardcoded default access token value when the expected environment variable is absent, which can cause unintended authenticated access and credential exposure if that fallback is valid anywhere. Even if it is only a test key, embedding secrets or secret-like defaults in distributed code normalizes unsafe credential handling and can let users unknowingly send data through an external service.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script falls back to a hard-coded router access token when the environment variable is absent, which embeds a credential directly in code and enables unauthorized use of the external router by anyone with access to the script. In a generic chart-generation skill, credential handling is expected only if clearly documented and securely sourced; shipping a default secret significantly increases the risk of credential leakage, misuse, and accidental production exposure.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script retrieves a router credential from the environment and silently falls back to a hardcoded access key, which is effectively a baked-in secret usable by anyone with the code. Because the script then uses that credential to invoke an external router service, this creates unauthorized service access risk and makes credential leakage or abuse much more likely.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script embeds a hardcoded fallback router credential (`BETA_TEST_KEY_MARCH_2026`) and automatically uses it when the environment variable is absent. Hardcoded secrets are insecure because they can be extracted from source control or packages and reused to access the upstream router service, and this capability is not necessary for a simple local chart wrapper.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code embeds a fallback router credential directly in source when the environment variable is absent. Hardcoded secrets are commonly leaked through repositories, logs, or package distribution, and here they enable authenticated access to an external routing service unrelated to a purely local chart-generation expectation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script silently obtains a router credential from an environment variable and falls back to a hardcoded default key, which creates unauthorized access risk and strongly suggests insecure secret handling. In an auto-generated chart wrapper, embedding a usable default credential is especially dangerous because users may unknowingly send data through a privileged external service without explicit configuration or consent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script retrieves a router credential from an environment variable and even supplies a hardcoded default token value if the variable is absent. In a chart-generation skill, embedding or silently consuming router credentials expands trust beyond the stated functionality and can enable unauthorized external service access or accidental credential leakage through misuse of the tool.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script retrieves a router credential from an environment variable and silently falls back to a hardcoded default token, which can enable unauthorized outbound access even when no explicit credential was configured. In a simple chart-generation skill, embedding network-capable credentials is broader than expected and increases the risk of secret misuse, accidental production access, or use of a shared test key across installations.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script uses a hardcoded fallback value that appears to function as a router access credential when the environment variable is absent. Even if intended for testing, embedding default secrets in distributable code can enable unauthorized API use, make credential rotation difficult, and cause accidental use of non-user-controlled credentials in production-like environments.

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The script reads a router access credential from an environment variable and even falls back to a hardcoded default token-like value. For a chart-generation skill, accessing authentication material is more privilege than the description suggests, and the hardcoded fallback increases the risk of accidental unauthorized remote access or secret misuse.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The skill's effective behavior is to forward user-supplied data to a remote gateway, which is materially different from a simple local chart-generation utility. This mismatch can mislead users and integrators about trust boundaries, causing them to provide data they would not knowingly send off-host.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script reads a router credential from an environment variable and even falls back to a hardcoded default token-like value when the variable is unset. That creates a real secret-management issue: credentials may be used outside the declared charting scope, and the embedded fallback encourages unauthorized or unintended access to a remote service.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script embeds a default router credential (`BETA_TEST_KEY_MARCH_2026`) and uses it whenever the environment variable is absent. Hardcoded credentials are dangerous because they can be extracted from source control or redistributed builds, enabling unauthorized use of the external router service and making secret rotation difficult. In this skill context, the credential is unrelated to local spreadsheet generation and indicates undisclosed remote capability, which increases risk.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script retrieves a router credential from the environment and silently falls back to a hard-coded default token. Embedded default credentials are dangerous because they may grant unintended access across installations, and they normalize secret reuse in a tool whose stated purpose is only chart generation. In this skill context, that behavior is more suspicious because a minimal chart helper does not need a baked-in shared access token to function safely.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script retrieves a router credential from the environment but silently falls back to a hardcoded key when none is provided. Embedding default access credentials in distributed code is unsafe because it can enable unauthorized use of the upstream router, make credential rotation difficult, and encourage deployments to run with a shared secret not intended for production use.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script retrieves a router credential from the environment and silently falls back to a hardcoded access key. Embedding a usable default credential in client-side code is dangerous because anyone with the skill can invoke the remote service, and the key may be abused, extracted, or reused outside the intended context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The map tools accept user-supplied Chinese POI/location keywords and send them to an external gateway/service for lookup and rendering, but the skill description does not warn users that potentially sensitive location inputs leave the local environment. This can lead to unintentional disclosure of travel plans, sensitive sites, or other private location data to a third party.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation states that the scripts fall back to a built-in demo key if no user key is provided, but does not clearly warn that this is a shared credential. Shared/demo credentials can expose user inputs to a common account, reduce accountability, and cause reliability or quota issues that users may not anticipate.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script sends the full user-provided payload to a remote router with router.invoke(...) but provides no visible warning, consent prompt, or disclosure that input data leaves the local environment. This can cause unintended exfiltration of sensitive chart data, especially if users assume a chart-generation utility operates locally. Because the tool accepts arbitrary JSON input, the exposure scope depends on what users place in the payload.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script retrieves a credential from an environment variable and silently falls back to a hardcoded default token-like value before constructing a remote router. This creates two risks: accidental use of an embedded secret/default credential and undisclosed transmission of data to an external service, which can lead to unauthorized access, data leakage, and difficult-to-audit behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script forwards the user-supplied payload directly to a remote service through router.invoke without any warning, redaction, or sensitivity checks. In an agent-skill context, users may assume the tool operates locally, so silent exfiltration of chart data to a third-party endpoint can expose proprietary, personal, or otherwise sensitive information.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script reads a credential from the environment and silently falls back to a hardcoded default key, then uses it to build a router for remote service access. Embedding a default access token and coupling it to network-capable behavior is dangerous because it can enable unauthorized API use, accidental credential leakage, and unintentional data transmission without explicit operator awareness.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script forwards the provided payload to a remote router invocation without any confirmation, minimization, or warning that local input will be sent off-host. In an agent skill context, users may reasonably expect chart generation to be local, so silently transmitting arbitrary input can expose sensitive dataset contents or metadata to a third-party service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The tool forwards the full user-supplied payload to a remote router service without any user-facing disclosure, confirmation, or data-minimization controls. In the context of a chart-generation skill, users may reasonably expect local formatting or rendering, so silent transmission to an external service increases the risk of accidental exfiltration of sensitive business or personal data embedded in chart inputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal